I am developing an application which works correctly when snapped and installed in Classic mode, but fails immediately when snapped and installed for Dev mode or Strict mode.

Starting the snap gives the following error:
//==============
cannot update snap namespace: cannot create writable mimic over “/”: permission denied
snap-update-ns failed with code 1: File exists
//==============

Background
The snap is a JavaFX self contained app for the management of photographic images. It reads and writes files (.jpg, .txt) from the users file systems, including USB connected storage and devices (cameras), and network storage via the resident file system.

As the Application is self contained from a java execution environment perspective, there is no need to the app to access host system Java execution engines or paths.

The app maintain a filestore for the imported images and created text files, with a database to enable certain relationships between the images and text files to be maintained. There are import, export and backup functionality inbuilt to enable the user to manage and catalogue a significantly large number of images.

It also has the ability to email images to recipients using its internal email functionality.

The Users home directory is determined within the application by the JavaFX system call:
String directory = System.getProperty(“user.home”) ;

Sub-Directories are created in the $HOME directory on first startup and some resources are created, and some copied from the App’s pre-compiled resources into these user sub-directories. This is enabled by the “layout” section of the snapcraft.yaml file.

The App is started by a IDE generated shell script. The IDE is IntelliJ IDEA Community edition.
The script (called photonotebook) reads as follows:
//========================
#!/bin/sh
DIR="${0%/*}"
“$DIR/java” -p “$DIR/…/app” -m PhotoNoteBook/com.dryjointproductions.photonotebook.PhotoNoteBook “$@”
//===================================

Checking for AppArmor issues gives:
//================
sudo journalctl --since=today | grep audit
Dalek kernel: audit: type=1400 audit(1593531855.176:2321): apparmor=“DENIED” operation=“mount” info=“failed mntpnt match” error=-13 profile=“snap-update-ns.photonotebook” name="/tmp/.snap/" pid=22555 comm=“5” srcname="/" flags=“rw, rbind”
//=============

The snapcraft.yaml file is as follows:
//================================================
name: photonotebook
title: PhotoNoteBook
version: ‘1’
summary: The digital photography library manager and notebook
license: Proprietary
description: PhotoNoteBook is a digital photograph library manager enabling collections of images and the making of notes and memo’s for the collections and the photographs.
icon: photonotebook.png
confinement: strict
grade: stable
base: core18

apps:
photonotebook:
plugs: [desktop, desktop-legacy, wayland, unity7, unity8, home, network, network-bind, x11, opengl, removable-media, optical-drive]
command: bin/photonotebook

layout:
/resources:
bind: $SNAP/resources

parts:
photonotebook:
plugin: dump
source: ./photonotebook/
stage-packages: [libfreetype6, libpng16-16, libx11-6, libxext6, libxi6, libxrender1, libxtst6, libasound2 ]

//=========================================================

snap version information:

snapLinux => snap --version
snap 2.45.1
snapd 2.45.1
series 16
ubuntu 18.04
kernel 4.15.0-108-generic

//=========================================================

Please can someone explain the error to me and point a way forward.

I would prefer to have the app released in Strict mode if possible, knowing the communities general distaste of classic confinement. However, I currently cannot see how the Application can read and write the wide range of files it needs to access (imagery and text files) from local and network attached file systems, and from USB attached storage and cameras, in a Strict confinement.

The app also contains a small internal email facility for sending images to recipients.

Please be aware that I am a solo developer who’s expertise is primarily in Apps programming, rather than Linux and Snap, so words of few syllables may be required!

Thanks in anticipation
Alan

can you show the system journal denials? i.e. what’s the output of journalctl -e --no-pager | grep DENIED ?

Hi,
Ran the command as specified following attempting to run the app:
journalctl -e --no-pager | grep DENIED
Jun 30 17:39:02 Dalek audit[25563]: AVC apparmor=“DENIED” operation=“mount” info=“failed mntpnt match” error=-13 profile=“snap-update-ns.photonotebook” name="/tmp/.snap/" pid=25563 comm=“5” srcname="/" flags=“rw, rbind”
Jun 30 17:39:02 Dalek kernel: audit: type=1400 audit(1593535142.756:2322): apparmor=“DENIED” operation=“mount” info=“failed mntpnt match” error=-13 profile=“snap-update-ns.photonotebook” name="/tmp/.snap/" pid=25563 comm=“5” srcname="/" flags=“rw, rbind”

cheers!

Can you upload to a pastebin or here the full content of the file /var/lib/snapd/apparmor/profiles/snap-update-ns.photonotebook`?

Also when running your snap, can you upload what it shows with SNAP_CONFINE_DEBUG=1 snap run photonotebook ... (with whatever args you normally use).

Thanks

Hi Ian,
as requested, output from SNAP_CONFINE_* and file /var/lib/snapd/apparmor/profiles/snap-update-ns.photonotebook

Even a newbie like me can now see there is a problem with the /resources layout … the App only needs read access to this, bit I have no idea of how to solve this!

Thanks for your help!
Alan
//=========================

Wed Jul 01 08:16 /home/alan => SNAP_CONFINE_DEBUG=1 snap run photonotebook
DEBUG: umask reset, old umask was 022
DEBUG: security tag: snap.photonotebook.photonotebook
DEBUG: executable: /usr/lib/snapd/snap-exec
DEBUG: confinement: non-classic
DEBUG: base snap: core18
DEBUG: ruid: 1000, euid: 0, suid: 0
DEBUG: rgid: 1000, egid: 1000, sgid: 1000
DEBUG: apparmor label on snap-confine is: /snap/core/9436/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/photonotebook.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope photonotebook, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: photonotebook
DEBUG: snappy_udev_init
DEBUG: forked support process 26925
DEBUG: unsharing the mount namespace (per-snap)
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: scratch directory for constructing namespace: /tmp/snap.rootfs_G8GYbe
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: opening file describing nvidia driver version
DEBUG: looking for nvidia canary file /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.390.138
DEBUG: nvidia library detected at path /usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libEGL.so -> libEGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libEGL.so.1 -> libEGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libEGL.so.1.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libEGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libEGL_nvidia.so.0 -> libEGL_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libEGL_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libEGL_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGL.so -> libGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGL.so.1 -> libGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGL.so.1.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libOpenGL.so -> libOpenGL.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libOpenGL.so.0 -> libOpenGL.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libOpenGL.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libOpenGL.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv1_CM.so -> libGLESv1_CM.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv1_CM.so.1 -> libGLESv1_CM.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv1_CM.so.1.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv1_CM.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv1_CM_nvidia.so.1 -> libGLESv1_CM_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv1_CM_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv1_CM_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv2.so -> libGLESv2.so.2.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv2.so.2 -> libGLESv2.so.2.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv2.so.2.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv2.so.2.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv2_nvidia.so.2 -> libGLESv2_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLESv2_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLESv2_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLX_indirect.so.0 -> libGLX_mesa.so.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLX_nvidia.so.0 -> libGLX_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLX_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLX_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLX.so -> libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLX.so.0 -> libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLX.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLdispatch.so -> libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLdispatch.so.0 -> libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLdispatch.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLU.so -> libGLU.so.1.3.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLU.so.1 -> libGLU.so.1.3.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libGLU.so.1.3.1 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libGLU.so.1.3.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libcuda.so -> libcuda.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libcuda.so.1 -> libcuda.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libcuda.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libcuda.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvcuvid.so -> libnvcuvid.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvcuvid.so.1 -> libnvcuvid.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvcuvid.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvcuvid.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-cfg.so -> libnvidia-cfg.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-cfg.so.1 -> libnvidia-cfg.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-cfg.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-cfg.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-compiler.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-compiler.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-eglcore.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-eglcore.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-egl-wayland.so.1 -> libnvidia-egl-wayland.so.1.0.2
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-egl-wayland.so.1.0.2 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-egl-wayland.so.1.0.2
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-encode.so -> libnvidia-encode.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-encode.so.1 -> libnvidia-encode.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-encode.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-encode.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-fatbinaryloader.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-fatbinaryloader.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-fbc.so -> libnvidia-fbc.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-fbc.so.1 -> libnvidia-fbc.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-fbc.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-fbc.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-glcore.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-glcore.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-glsi.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-glsi.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ifr.so -> libnvidia-ifr.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ifr.so.1 -> libnvidia-ifr.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ifr.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-ifr.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ml.so -> libnvidia-ml.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ml.so.1 -> libnvidia-ml.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ml.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-ml.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-opencl.so.1 -> libnvidia-opencl.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-opencl.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-opencl.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ptxjitcompiler.so -> libnvidia-ptxjitcompiler.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ptxjitcompiler.so.1 -> libnvidia-ptxjitcompiler.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-ptxjitcompiler.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-ptxjitcompiler.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/libnvidia-tls.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/libnvidia-tls.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/tls/libnvidia-tls.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/tls/libnvidia-tls.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/vdpau/libvdpau_nvidia.so -> libvdpau_nvidia.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/vdpau/libvdpau_nvidia.so.1 -> libvdpau_nvidia.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl/vdpau/libvdpau_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/x86_64-linux-gnu/vdpau/libvdpau_nvidia.so.390.138
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl
DEBUG: opening file describing nvidia driver version
DEBUG: looking for nvidia canary file /usr/lib/i386-linux-gnu/libnvidia-glcore.so.390.138
DEBUG: nvidia library detected at path /usr/lib/i386-linux-gnu/libnvidia-glcore.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libEGL_nvidia.so.0 -> libEGL_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libEGL_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libEGL_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGL.so.1 -> libGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGL.so.1.0.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGL.so.1.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLESv1_CM_nvidia.so.1 -> libGLESv1_CM_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLESv1_CM_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLESv1_CM_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLESv2_nvidia.so.2 -> libGLESv2_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLESv2_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLESv2_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLX_indirect.so.0 -> libGLX_mesa.so.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLX_nvidia.so.0 -> libGLX_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLX_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLX_nvidia.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLX.so.0 -> libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLX.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLX.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLdispatch.so.0 -> libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLdispatch.so.0.0.0 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLdispatch.so.0.0.0
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLU.so.1 -> libGLU.so.1.3.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libGLU.so.1.3.1 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libGLU.so.1.3.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libcuda.so -> libcuda.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libcuda.so.1 -> libcuda.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libcuda.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libcuda.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvcuvid.so -> libnvcuvid.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvcuvid.so.1 -> libnvcuvid.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvcuvid.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvcuvid.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-compiler.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-compiler.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-eglcore.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-eglcore.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-egl-wayland.so.1 -> libnvidia-egl-wayland.so.1.0.2
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-egl-wayland.so.1.0.2 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-egl-wayland.so.1.0.2
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-encode.so -> libnvidia-encode.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-encode.so.1 -> libnvidia-encode.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-encode.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-encode.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-fatbinaryloader.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-fatbinaryloader.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-fbc.so -> libnvidia-fbc.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-fbc.so.1 -> libnvidia-fbc.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-fbc.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-fbc.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-glcore.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-glcore.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-glsi.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-glsi.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ifr.so -> libnvidia-ifr.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ifr.so.1 -> libnvidia-ifr.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ifr.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-ifr.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ml.so -> libnvidia-ml.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ml.so.1 -> libnvidia-ml.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ml.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-ml.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-opencl.so.1 -> libnvidia-opencl.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-opencl.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-opencl.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ptxjitcompiler.so -> libnvidia-ptxjitcompiler.so.1
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ptxjitcompiler.so.1 -> libnvidia-ptxjitcompiler.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-ptxjitcompiler.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-ptxjitcompiler.so.390.138
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/libnvidia-tls.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/libnvidia-tls.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/tls/libnvidia-tls.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/tls/libnvidia-tls.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/vdpau/libvdpau_nvidia.so -> libvdpau_nvidia.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/vdpau/libvdpau_nvidia.so.1 -> libvdpau_nvidia.so.390.138
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32/vdpau/libvdpau_nvidia.so.390.138 -> /var/lib/snapd/hostfs/usr/lib/i386-linux-gnu/vdpau/libvdpau_nvidia.so.390.138
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/gl32
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/vulkan
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/vulkan/icd.d/nvidia_icd.json -> /var/lib/snapd/hostfs/usr/share/vulkan/icd.d/nvidia_icd.json
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/vulkan
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: mounting tmpfs at /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/glvnd
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: creating symbolic link /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/glvnd/egl_vendor.d/10_nvidia.json -> /var/lib/snapd/hostfs/usr/share/glvnd/egl_vendor.d/10_nvidia.json
DEBUG: remounting tmpfs as read-only /tmp/snap.rootfs_G8GYbe/var/lib/snapd/lib/glvnd
DEBUG: performing operation: pivot_root /tmp/snap.rootfs_G8GYbe /tmp/snap.rootfs_G8GYbe//var/lib/snapd/hostfs
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: rmdir /var/lib/snapd/hostfs//tmp/snap.rootfs_G8GYbe
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:1000 (change: yes)
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: performing operation: (disabled) use debug build to see details
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: calling snapd tool snap-update-ns
DEBUG: waiting for snapd tool snap-update-ns to terminate
DEBUG: requesting changing of apparmor profile on next exec to snap-update-ns.photonotebook
common.go:60: DEBUG: locking mount namespace of snap “photonotebook”
common.go:81: DEBUG: freezing processes of snap “photonotebook”
change.go:124: DEBUG: need to create writable mimic needed to create path “/resources” (original error: cannot operate on read-only filesystem at /)
utils.go:456: DEBUG: create-writable-mimic “/”
change.go:316: DEBUG: mount name:"/" dir:"/tmp/.snap" type:"" opts:MS_BIND|MS_REC unparsed:"" (error: permission denied)
common.go:89: DEBUG: unlocking mount namespace of snap “photonotebook”
common.go:91: DEBUG: thawing processes of snap “photonotebook”
cannot update snap namespace: cannot create writable mimic over “/”: permission denied
snap-update-ns failed with code 1: File exists
//===================

Content of the file /var/lib/snapd/apparmor/profiles/snap-update-ns.photonotebook

//======================

Description: Allows snap-update-ns to construct the mount namespace specific

to a particular snap (see the name below). This specifically includes the

precise locations of the layout elements.

vim:syntax=apparmor

#include <tunables/global>

profile snap-update-ns.photonotebook (attach_disconnected) {

The next four rules mirror those above. We want to be able to read

and map snap-update-ns into memory but it may come from a variety of places.

/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/usr/lib{,exec,64}/snapd/snap-update-ns mr,
/{,var/lib/snapd/}snap/{core,snapd}//usr/lib/snapd/snap-update-ns mr,
/var/lib/snapd/hostfs/{,var/lib/snapd/}snap/core//usr/lib/snapd/snap-update-ns mr,

Allow reading the dynamic linker cache.

/etc/ld.so.cache r,

Allow reading, mapping and executing the dynamic linker.

/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,

Allow reading and mapping various parts of the standard library and

dynamically loaded nss modules and what not.

/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]}.so mr,
/{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]}.so mr,

Common devices accesses

/dev/null rw,
/dev/full rw,
/dev/zero rw,
/dev/random r,
/dev/urandom r,

golang runtime variables

/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,

Allow reading the command line (snap-update-ns uses it in pre-Go bootstrap code).

@{PROC}/@{pid}/cmdline r,

Allow reading file descriptor paths

@{PROC}/@{pid}/fd/* r,

Allow reading /proc/version. For release.go WSL detection.

@{PROC}/version r,

Allow reading somaxconn, required in newer distro releases

@{PROC}/sys/net/core/somaxconn r,

but silence noisy denial of inet/inet6

deny network inet,
deny network inet6,

Allow reading the os-release file (possibly a symlink to /usr/lib).

/{etc/,usr/lib/}os-release r,

Allow creating/grabbing global and per-snap lock files.

/run/snapd/lock/photonotebook.lock rwk,
/run/snapd/lock/.lock rwk,

Allow reading stored mount namespaces,

/run/snapd/ns/ r,
/run/snapd/ns/photonotebook.mnt r,

Allow reading per-snap desired mount profiles. Those are written by

snapd and represent the desired layout and content connections.

/var/lib/snapd/mount/snap.photonotebook.fstab r,
/var/lib/snapd/mount/snap.photonotebook.user-fstab r,

Allow reading and writing actual per-snap mount profiles. Note that

the wildcard in the rule to allow an atomic write + rename strategy.

Those files are written by snap-update-ns and represent the actual

mount profile at a given moment.

/run/snapd/ns/snap.photonotebook.fstab{,.*} rw,

NOTE: at this stage the /snap directory is stable as we have called

pivot_root already.

Needed to perform mount/unmounts.

capability sys_admin,

Needed for mimic construction.

capability chown,

Needed for dropping to calling user when processing per-user mounts

capability setuid,
capability setgid,

Allow snap-update-ns to override file ownership and permission checks.

This is required because writable mimics now preserve the permissions

of the original and hence we may be asked to create a directory when the

parent is a tmpfs without DAC write access.

capability dac_override,

Allow freezing and thawing the per-snap cgroup freezers

/sys/fs/cgroup/freezer/snap.photonotebook/freezer.state rw,

Allow the content interface to bind fonts from the host filesystem

mount options=(ro bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /snap/photonotebook//**,
mount options=(rw private) -> /snap/photonotebook//,
umount /snap/photonotebook/*/,

set up user mount namespace

mount options=(rslave) -> /,

Allow traversing from the root directory and several well-known places.

Specific directory permissions are added by snippets below.

/ r,
/etc/ r,
/snap/ r,
/tmp/ r,
/usr/ r,
/var/ r,
/var/snap/ r,

Allow reading timezone data.

/usr/share/zoneinfo/** r,

Don’t allow anyone to touch /snap/bin

audit deny mount /snap/bin/** -> /,
audit deny mount / -> /snap/bin/**,

Don’t allow bind mounts to /media which has special

sharing and propagates mount events outside of the snap namespace.

audit deny mount -> /media,

Allow receiving signals from unconfined (eg, systemd)

signal (receive) peer=unconfined,

Allow sending and receiving signals from ourselves.

signal peer=@{profile_name},

Commonly needed permissions for writable mimics.

/tmp/ r,
/tmp/.snap/{,**} rw,

Mount the document portal

mount options=(bind) /run/user/[0-9]/doc/by-app/snap.photonotebook/ -> /run/user/[0-9]/doc/,

umount /run/user/[0-9]*/doc/,

Read-only access to /usr/share/fonts

mount options=(bind) /var/lib/snapd/hostfs/usr/share/fonts/ -> /usr/share/fonts/,

remount options=(bind, ro) /usr/share/fonts/,

umount /usr/share/fonts/,

Read-only access to /usr/local/share/fonts

mount options=(bind) /var/lib/snapd/hostfs/usr/local/share/fonts/ -> /usr/local/share/fonts/,

remount options=(bind, ro) /usr/local/share/fonts/,

umount /usr/local/share/fonts/,

Read-only access to /var/cache/fontconfig

mount options=(bind) /var/lib/snapd/hostfs/var/cache/fontconfig/ -> /var/cache/fontconfig/,

remount options=(bind, ro) /var/cache/fontconfig/,

umount /var/cache/fontconfig/,

Layout /resources: bind $SNAP/resources

mount options=(rbind, rw) /snap/photonotebook/x1/resources/ -> /resources/,

mount options=(rprivate) -> /resources/,

umount /resources/,

Writable mimic /

… permissions for traversing the prefix that is assumed to exist

/ r,

Writable mimic /snap/photonotebook/x1

/snap/ r,

/snap/photonotebook/ r,

… variant with mimic at /snap/photonotebook/x1/

Allow reading the mimic directory, it must exist in the first place.

/snap/photonotebook/x1/ r,

Allow setting the read-only directory aside via a bind mount.

/tmp/.snap/snap/photonotebook/x1/ rw,

mount options=(rbind, rw) /snap/photonotebook/x1/ -> /tmp/.snap/snap/photonotebook/x1/,

Allow mounting tmpfs over the read-only directory.

mount fstype=tmpfs options=(rw) tmpfs -> /snap/photonotebook/x1/,

Allow creating empty files and directories for bind mounting things

to reconstruct the now-writable parent directory.

/tmp/.snap/snap/photonotebook/x1/*/ rw,

/snap/photonotebook/x1/*/ rw,

mount options=(rbind, rw) /tmp/.snap/snap/photonotebook/x1// -> /snap/photonotebook/x1//,

/tmp/.snap/snap/photonotebook/x1/* rw,

/snap/photonotebook/x1/* rw,

mount options=(bind, rw) /tmp/.snap/snap/photonotebook/x1/* -> /snap/photonotebook/x1/*,

Allow unmounting the auxiliary directory.

TODO: use fstype=tmpfs here for more strictness (LP: #1613403)

mount options=(rprivate) -> /tmp/.snap/snap/photonotebook/x1/,

umount /tmp/.snap/snap/photonotebook/x1/,

Allow unmounting the destination directory as well as anything

inside. This lets us perform the undo plan in case the writable

mimic fails.

mount options=(rprivate) -> /snap/photonotebook/x1/,

mount options=(rprivate) -> /snap/photonotebook/x1/*,

mount options=(rprivate) -> /snap/photonotebook/x1/*/,

umount /snap/photonotebook/x1/,

umount /snap/photonotebook/x1/*,

umount /snap/photonotebook/x1/*/,

}
//=======================================

Hi,
I’m going to kill this off as I have with brute force and ignorance managed to move the problem on, so I will submit a more informed issue.

many thanks to Ian Johnson!

cheers
Alan

sorry I should have read more closely your original post, but this is the cause of the issue (I added ``` before and after it to format it as code to make it more readable). See https://snapcraft.io/docs/snap-layouts for this snippet:

New entries in / (root)

Layouts cannot currently create new top-level files or directories. For example, the following layout declaration will not work:

layout:
  /foo: # Unsupported, cannot create new top-level directories.
    bind: $SNAP/foo

So you cannot create /resources using layouts unfortunately.

I proposed a PR which will make it much more clear the error when you try to create the snap (i.e. when snap pack is run when you call snapcraft to try and build such a snap). https://github.com/snapcore/snapd/pull/8985